ungleich-learning-circle/sami/my-org-files/cdist.org/#all-in-one#

43 lines
2.1 KiB
Text
Raw Normal View History

2020-05-22 14:35:56 +00:00
*** cdist #6: Glueing it together
**** Lecture content
***** Objective
- Apply learnings from the previous cdist sessions
***** Steps 1: *__all_in_one* (1.25h)
- Create a new type named *__all_in_one*
- Decide yourself whether it is a singleton or not
- Reason why in your cdist.org file
- It should work on alpine, debian and fedora
- It accepts the following parameters:
- *--with-x* (boolean)
- *--extra-packages* (optional multiple)
- On Alpine, it should install netcat-openbsd and tshark
- On Debian, it should install netcat tshark
- On Fedora, it should install nmap-ncat wireshark-cli
- On all operating systems install socat sipcalc sudo
- If the detected operating system is neither
Alpine/Debian/Fedora, output an error message and abort the
manifest with exit code 1
- Additionally install all packages specified by the *--extra-packages* parameter
***** Steps 2: *__firewall* (1.25h)
- Create a new type *__my_firewall*
- Add a *type explorer* to find out whether nft is present on
the target system
- Add a required parameter named *file*
- If the type explorer does not detect nft on the target system,
abort with an error message
- Deploy the specified file to */etc/my-nftables*
- Add a *type explorer* that reads the current nft rules
- If the rules are different on the target host, apply the new
ruleset by generating code in *gencode-remote*
- If the filename specified by the *file* parameter is *-* (the
minus sign), then the type should read from *stdin*
***** Step 3: manifest (0.5h)
- Create a new manifest in the folder that contains the initial manifest
- Name the new manifest *firewall*
- Source the *firewall* manifest in the *initial* manifest
- In the *firewall* manifest, match on *localhost*
- Install nftables
- Use the *__firewall* type
- Use correct *require* parameter to ensure that nftables is
installed before the *__firewall* type is run